Trojaner-Board - Account gehackt

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Account gehackt (https://www.trojaner-board.de/84195-account-gehackt.html)

Einen wunderschönen guten Abend wünsche ich,

ich komme soeben von Arbeit und wollte noch ein wenig meinem Online Spiel nachgehen. Beim Log in dann die Überraschung ID und Passwort stimmen nicht überein. Eine Nachfrage im TS erbrachte die Erkenntnis, dass ich seit dem Nachmittag online sei, ich aber zu dem Zeitpunkt auf Arbeit war. Anbei mein aktuelles HJT Log. Ich weiss habe eigentlich hier noch einen Thread offen aber das Problem hatte sich schnell gelöst, indem meine alte IDE Festplatte ihren Dienst.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:23:13, on 28.03.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Analog Devices\SoundMAX\Smax4.exe
C:\Programme\ASUS\AI Suite\AiNap\AiNap.exe
C:\Programme\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Everest Ultimate Engineer Edition 4.10.1078\everest.exe
C:\Programme\DNA\btdna.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
D:\Programme\DAEMON Tools Lite\daemon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programme\avmwlanstick\WlanNetService.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
D:\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
D:\TS3\TeamSpeak 3 Client\ts3client_win32.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\Test.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ai Nap] "C:\Programme\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Programme\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Programme\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Programme\Everest Ultimate Engineer Edition 4.10.1078\everest.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Programme\DNA\btdna.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Programme\avmwlanstick\WlanNetService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - D:\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6435 bytes

habe Malwarebytes laufen lassen und der hat den kleinen Stinker gefunden und gelöscht hier das log mit dem Fund:

Code:

C:\WINDOWS\system32\h@tkeysh@@k.dll

Code:

Malwarebytes' Anti-Malware 1.44

Datenbank Version: 3924

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13
 

29.03.2010 00:12:17

mbam-log-2010-03-29 (00-12-17).txt
 

Scan-Methode: Quick-Scan

Durchsuchte Objekte: 115505

Laufzeit: 2 minute(s), 45 second(s)
 

Infizierte Speicherprozesse: 0

Infizierte Speichermodule: 0

Infizierte Registrierungsschlüssel: 0

Infizierte Registrierungswerte: 0

Infizierte Dateiobjekte der Registrierung: 3

Infizierte Verzeichnisse: 0

Infizierte Dateien: 1
 

Infizierte Speicherprozesse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Speichermodule:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungsschlüssel:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungswerte:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateiobjekte der Registrierung:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
 

Infizierte Verzeichnisse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateien:

C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.

danach Malwarebytes Komplettscan:

Code:

Malwarebytes' Anti-Malware 1.44

Datenbank Version: 3924

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13
 

29.03.2010 00:44:53

mbam-log-2010-03-29 (00-44-53).txt
 

Scan-Methode: Vollständiger Scan (C:\|D:\|)

Durchsuchte Objekte: 186937

Laufzeit: 22 minute(s), 43 second(s)
 

Infizierte Speicherprozesse: 0

Infizierte Speichermodule: 0

Infizierte Registrierungsschlüssel: 0

Infizierte Registrierungswerte: 0

Infizierte Dateiobjekte der Registrierung: 0

Infizierte Verzeichnisse: 0

Infizierte Dateien: 0
 

Infizierte Speicherprozesse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Speichermodule:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungsschlüssel:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungswerte:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateiobjekte der Registrierung:

(Keine bösartigen Objekte gefunden)
 

Infizierte Verzeichnisse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateien:

(Keine bösartigen Objekte gefunden)

und Superantispyware:

Code:

SUPERAntiSpyware Scan Log

hxxp://www.superantispyware.com
 

Generated 03/29/2010 at 01:24 AM
 

Application Version : 4.34.1000
 

Core Rules Database Version : 4742

Trace Rules Database Version: 2554
 

Scan type       : Complete Scan

Total Scan Time : 00:37:07
 

Memory items scanned      : 495

Memory threats detected   : 0

Registry items scanned    : 5194

Registry threats detected : 0

File items scanned        : 67462

File threats detected     : 19
 

Adware.Tracking Cookie

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@bs.serving-sys[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@bluestreak[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@content.yieldmanager[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@adbrite[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@msnportal.112.2o7[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@atdmt[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@burstnet[2].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@ad.yieldmanager[2].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@serving-sys[2].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@ads.ad4game[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@casalemedia[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@doubleclick[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@www.burstnet[2].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@adfarm1.adition[2].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@tradedoubler[2].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@advertising[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@collective-media[1].txt

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@ad.zanox[2].txt
 

Adware.Vundo/Variant-X32[Header]

        D:\TRILLIAN\LANGUAGES\DE\MAIL.DLL

Ich lass jetzt nochmal Avira laufen und ändere alle wichtigen Passwörter. Kann ich noch was tun?

1. http://www.trojaner-board.de/74908-a...t-scanner.html

2. Hol dir OTL
Starte OTL
Kopiere unten in das Skript-Feld rein:

Zitat:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

Schließe alle anderen Programme.
Klicke auf Quick Scan.
Poste die beiden Logs - OTL.txt und Extras.txt

GMER:

Code:

GMER 1.0.15.15281 - hxxp://www.gmer.net

Rootkit scan 2010-03-30 01:05:07

Windows 5.1.2600 Service Pack 3

Running: fg0f2enj.exe; Driver: C:\DOKUME~1\Kai\LOKALE~1\Temp\pgtdqpoc.sys
 
 

---- System - GMER 1.0.15 ----
 

SSDT      BAEB1E76                                                                                                            ZwCreateKey

SSDT      BAEB1E6C                                                                                                            ZwCreateThread

SSDT      BAEB1E7B                                                                                                            ZwDeleteKey

SSDT      BAEB1E85                                                                                                            ZwDeleteValueKey

SSDT      spbp.sys                                                                                                            ZwEnumerateKey [0xBA6C5CA4]

SSDT      spbp.sys                                                                                                            ZwEnumerateValueKey [0xBA6C6032]

SSDT      BAEB1E8A                                                                                                            ZwLoadKey

SSDT      spbp.sys                                                                                                            ZwOpenKey [0xBA6A70C0]

SSDT      BAEB1E58                                                                                                            ZwOpenProcess

SSDT      BAEB1E5D                                                                                                            ZwOpenThread

SSDT      spbp.sys                                                                                                            ZwQueryKey [0xBA6C610A]

SSDT      spbp.sys                                                                                                            ZwQueryValueKey [0xBA6C5F8A]

SSDT      BAEB1E94                                                                                                            ZwReplaceKey

SSDT      BAEB1E8F                                                                                                            ZwRestoreKey

SSDT      BAEB1E80                                                                                                            ZwSetValueKey

SSDT      BAEB1E67                                                                                                            ZwTerminateProcess
 

INT 0x63  ?                                                                                                                   8A462BF8

INT 0x63  ?                                                                                                                   8A462BF8

INT 0x63  ?                                                                                                                   8A462BF8

INT 0x63  ?                                                                                                                   8A462BF8

INT 0x83  ?                                                                                                                   8A652BF8

INT 0x83  ?                                                                                                                   8A652BF8

INT 0x83  ?                                                                                                                   8A462BF8

INT 0x83  ?                                                                                                                   8A652BF8

INT 0x84  ?                                                                                                                   8A462BF8

INT 0x94  ?                                                                                                                   8A462BF8

INT 0xA4  ?                                                                                                                   8A462BF8

INT 0xB4  ?                                                                                                                   8A652BF8

INT 0xB4  ?                                                                                                                   8A652BF8

INT 0xB4  ?                                                                                                                   8A652BF8

INT 0xB4  ?                                                                                                                   8A652BF8

INT 0xB4  ?                                                                                                                   8A652BF8
 

---- Kernel code sections - GMER 1.0.15 ----
 

?         spbp.sys                                                                                                            Das System kann die angegebene Datei nicht finden. !

.text     C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                            section is writeable [0xB9E4B360, 0x372FAD, 0xE8000020]

.text     USBPORT.SYS!DllUnload                                                                                               B9E2B8AC 5 Bytes  JMP 8A4621D8 

.text     adhh62cd.SYS                                                                                                        B9D4F386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]

.text     adhh62cd.SYS                                                                                                        B9D4F3AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]

.text     adhh62cd.SYS                                                                                                        B9D4F3C4 3 Bytes  [00, 70, 02] {ADD [EAX+0x2], DH}

.text     adhh62cd.SYS                                                                                                        B9D4F3C9 1 Byte  [30]

.text     adhh62cd.SYS                                                                                                        B9D4F3C9 11 Bytes  [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}

.text     ...                                                                                                                 

init      C:\WINDOWS\system32\drivers\Senfilt.sys                                                                             entry point in "init" section [0xB7A13A00]

.text     C:\WINDOWS\system32\DRIVERS\atksgt.sys                                                                              section is writeable [0xB6928300, 0x3B6D8, 0xE8000020]

.text     C:\WINDOWS\system32\DRIVERS\lirsgt.sys                                                                              section is writeable [0xBAB48300, 0x1BEE, 0xE8000020]
 

---- Kernel IAT/EAT - GMER 1.0.15 ----
 

IAT       atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                  [BA6A8042] spbp.sys

IAT       atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                          [BA6A813E] spbp.sys

IAT       atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                 [BA6A80C0] spbp.sys

IAT       atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                         [BA6A8800] spbp.sys

IAT       atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                 [BA6A86D6] spbp.sys

IAT       \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                  [BA6B7E9C] spbp.sys

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!KfAcquireSpinLock]                                                18C4830E

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!READ_PORT_UCHAR]                                                  1C8D9E88

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!KeGetCurrentIrql]                                                 9E880000

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!KfRaiseIrql]                                                      00001CA9

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!KfLowerIrql]                                                      0E798366

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!HalGetInterruptVector]                                            74AAB000

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!HalTranslateBusAddress]                                           8186C636

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!KeStallExecutionProcessor]                                        1A00001C

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!KfReleaseSpinLock]                                                1C8386C6

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                          C6020000

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!READ_PORT_USHORT]                                                 001C8E86

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                         86C60200

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                 00001CAA

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[WMILIB.SYS!WmiSystemControl]                                              8800001C

IAT       \SystemRoot\System32\Drivers\adhh62cd.SYS[WMILIB.SYS!WmiCompleteRequest]                                            001CB19E
 

---- Devices - GMER 1.0.15 ----
 

Device    \FileSystem\Ntfs \Ntfs                                                                                              8A5E21F8

Device    \Driver\usbuhci \Device\USBPDO-0                                                                                    8A474500

Device    \Driver\usbuhci \Device\USBPDO-1                                                                                    8A474500

Device    \Driver\dmio \Device\DmControl\DmIoDaemon                                                                           8A5E41F8

Device    \Driver\dmio \Device\DmControl\DmConfig                                                                             8A5E41F8

Device    \Driver\dmio \Device\DmControl\DmPnP                                                                                8A5E41F8

Device    \Driver\dmio \Device\DmControl\DmInfo                                                                               8A5E41F8

Device    \Driver\usbuhci \Device\USBPDO-2                                                                                    8A474500

Device    \Driver\usbehci \Device\USBPDO-3                                                                                    8A5AC500

Device    \Driver\usbuhci \Device\USBPDO-4                                                                                    8A474500

Device    \Driver\usbuhci \Device\USBPDO-5                                                                                    8A474500

Device    \Driver\usbuhci \Device\USBPDO-6                                                                                    8A474500

Device    \Driver\Ftdisk \Device\HarddiskVolume1                                                                              8A6531F8

Device    \Driver\usbehci \Device\USBPDO-7                                                                                    8A5AC500

Device    \Driver\Ftdisk \Device\HarddiskVolume2                                                                              8A6531F8

Device    \Driver\Cdrom \Device\CdRom0                                                                                        8A3FB1F8

Device    \Driver\atapi \Device\Ide\IdePort0                                                                                  [BA5FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device    \Driver\atapi \Device\Ide\IdePort1                                                                                  [BA5FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device    \Driver\atapi \Device\Ide\IdePort2                                                                                  [BA5FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device    \Driver\atapi \Device\Ide\IdePort3                                                                                  [BA5FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device    \Driver\atapi \Device\Ide\IdePort4                                                                                  [BA5FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device    \Driver\atapi \Device\Ide\IdePort5                                                                                  [BA5FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device    \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-10                                                                        [BA5FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device    \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3                                                                         [BA5FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device    \Driver\Cdrom \Device\CdRom1                                                                                        8A3FB1F8

Device    \Driver\NetBT \Device\NetBT_Tcpip_{E1307D40-3EAE-4B75-A5CA-015203CAB599}                                            89EE01F8

Device    \Driver\NetBT \Device\NetBt_Wins_Export                                                                             89EE01F8

Device    \Driver\sptd \Device\166993684                                                                                      spbp.sys

Device    \Driver\PCI_PNP3684 \Device\0000004c                                                                                spbp.sys

Device    \Driver\NetBT \Device\NetbiosSmb                                                                                    89EE01F8

Device    \Driver\usbuhci \Device\USBFDO-0                                                                                    8A474500

Device    \Driver\usbuhci \Device\USBFDO-1                                                                                    8A474500

Device    \Driver\usbuhci \Device\USBFDO-2                                                                                    8A474500

Device    \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                   89ECE1F8

Device    \FileSystem\MRxSmb \Device\LanmanRedirector                                                                         89ECE1F8

Device    \Driver\usbehci \Device\USBFDO-3                                                                                    8A5AC500

Device    \Driver\Ftdisk \Device\FtControl                                                                                    8A6531F8

Device    \Driver\usbuhci \Device\USBFDO-4                                                                                    8A474500

Device    \Driver\usbuhci \Device\USBFDO-5                                                                                    8A474500

Device    \Driver\usbuhci \Device\USBFDO-6                                                                                    8A474500

Device    \Driver\usbehci \Device\USBFDO-7                                                                                    8A5AC500

Device    \Driver\adhh62cd \Device\Scsi\adhh62cd1                                                                             8A3B21F8

Device    \Driver\adhh62cd \Device\Scsi\adhh62cd1Port6Path0Target0Lun0                                                        8A3B21F8

Device    \Driver\phmcd \GLOBAL??\phmcd                                                                                       8A5E31F8

Device    \FileSystem\Cdfs \Cdfs                                                                                              89EB2500
 

---- Registry - GMER 1.0.15 ----
 

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)                

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                     2

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                  0xC6 0x63 0x0D 0xFD ...

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     d:\Programme\DAEMON Tools Lite\

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     1

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0xCC 0xDD 0x4B 0xD8 ...

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0xC5 0x99 0xC8 0x71 ...

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0xA5 0x7F 0x00 0x91 ...

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                     0

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                  0xD1 0xEB 0x3C 0x4D ...

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)                

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                     2

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                  0xC6 0x63 0x0D 0xFD ...

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     d:\Programme\DAEMON Tools Lite\

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     1

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0xCC 0xDD 0x4B 0xD8 ...

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0xC5 0x99 0xC8 0x71 ...

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x1A 0x81 0xE7 0x00 ...

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                     0

Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                  0xD1 0xEB 0x3C 0x4D ...

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                  771343423

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                  285507792

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                  3

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04                                    

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                 2

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                              0xC6 0x63 0x0D 0xFD ...

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 d:\Programme\DAEMON Tools Lite\

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 1

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0xCC 0xDD 0x4B 0xD8 ...

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0xC5 0x99 0xC8 0x71 ...

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0xC7 0xF0 0x00 0x10 ...

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1                      

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12                0x87 0x7D 0xFD 0x85 ...

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                    

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                 0

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                              0xD1 0xEB 0x3C 0x4D ...

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)                

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                                     2

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                                  0xC6 0x63 0x0D 0xFD ...

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     d:\Programme\DAEMON Tools Lite\

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     1

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0xCC 0xDD 0x4B 0xD8 ...

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0xC5 0x99 0xC8 0x71 ...

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0xC7 0xF0 0x00 0x10 ...

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)  

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12                    0x87 0x7D 0xFD 0x85 ...

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                     0

Reg       HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                  0xD1 0xEB 0x3C 0x4D ...
 

---- EOF - GMER 1.0.15 ----

OTL:

Code:

OTL logfile created on: 30.03.2010 01:20:08 - Run 1

OTL by OldTimer - Version 3.1.37.3     Folder = D:\Downloads

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 80,00% Memory free

4,00 Gb Paging File | 4,00 Gb Available in Paging File | 92,00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme

Drive C: | 39,06 Gb Total Space | 20,96 Gb Free Space | 53,65% Space Free | Partition Type: NTFS

Drive D: | 333,55 Gb Total Space | 133,85 Gb Free Space | 40,13% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

 

Computer Name: KAIS

Current User Name: Kai

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

 
 ========== Processes (SafeList) ==========

 

PRC - [2010.03.30 01:18:58 | 000,555,520 | ---- | M] (OldTimer Tools) -- D:\Downloads\OTL.exe

PRC - [2010.01.11 16:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe

PRC - [2009.11.13 10:02:06 | 000,323,392 | ---- | M] (BitTorrent, Inc.) -- C:\Programme\DNA\btdna.exe

PRC - [2009.08.06 16:56:00 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe

PRC - [2009.06.09 18:04:48 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe

PRC - [2009.04.23 15:51:38 | 000,691,656 | ---- | M] (DT Soft Ltd) -- D:\Programme\DAEMON Tools Lite\daemon.exe

PRC - [2009.03.02 13:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe

PRC - [2008.07.21 03:17:54 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Programme\Lavasoft\Ad-Aware\aawservice.exe

PRC - [2008.04.14 07:52:46 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008.02.25 02:00:00 | 000,364,544 | ---- | M] (AVM Berlin) -- C:\Programme\avmwlanstick\WLanNetService.exe

PRC - [2007.10.12 09:34:56 | 000,071,096 | ---- | M] () -- D:\CDBurnerXP\NMSAccessU.exe

PRC - [2007.10.09 21:02:32 | 001,036,288 | ---- | M] (Analog Devices, Inc.) -- C:\Programme\Analog Devices\Core\smax4pnp.exe

PRC - [2007.10.08 08:47:38 | 000,864,256 | ---- | M] (Analog Devices, Inc.) -- C:\Programme\Analog Devices\SoundMAX\SMax4.exe

PRC - [2007.09.06 20:57:52 | 000,626,688 | ---- | M] () -- C:\Programme\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe

PRC - [2007.09.06 12:19:14 | 001,426,432 | ---- | M] () -- C:\Programme\ASUS\AI Suite\AiNap\AiNap.exe

PRC - [2007.07.26 01:10:12 | 001,962,080 | ---- | M] (Lavalys, Inc.) -- C:\Programme\Everest Ultimate Engineer Edition 4.10.1078\everest.exe

PRC - [2006.11.13 14:50:28 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft ActiveSync\wcescomm.exe

PRC - [2006.11.13 14:50:16 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft ActiveSync\rapimgr.exe

PRC - [2005.05.27 12:24:52 | 000,310,272 | ---- | M] (shbox.de) -- C:\Programme\FreePDF_XP\fpassist.exe

PRC - [2001.02.23 11:07:30 | 000,270,336 | ---- | M] (Microsoft Corporation) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe

 

 
 ========== Modules (SafeList) ==========

 

MOD - [2010.03.30 01:18:58 | 000,555,520 | ---- | M] (OldTimer Tools) -- D:\Downloads\OTL.exe

 

 
 ========== Win32 Services (SafeList) ==========

 

SRV - [2009.08.06 16:56:00 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2009.06.29 22:21:52 | 003,110,016 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)

SRV - [2009.06.09 18:04:48 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2008.07.21 03:17:54 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Programme\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)

SRV - [2008.02.25 02:00:00 | 000,364,544 | ---- | M] (AVM Berlin) [Auto | Running] -- C:\Programme\avmwlanstick\WLanNetService.exe -- (AVM WLAN Connection Service)

SRV - [2007.10.12 09:34:56 | 000,071,096 | ---- | M] () [Auto | Running] -- D:\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)

SRV - [2001.02.23 11:07:30 | 000,270,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe -- (MDM)

 

 
 ========== Standard Registry (SafeList) ==========

 

 
 ========== Internet Explorer ==========

 

 

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 
 ========== FireFox ==========

 

FF - prefs.js..browser.startup.homepage: "www.google.de"

FF - prefs.js..extensions.enabledItems: de-DE@dictionaries.addons.mozilla.org:2.0.1

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

 

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.03.24 13:31:10 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.03.24 13:31:10 | 000,000,000 | ---D | M]

 

[2008.08.26 13:59:33 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Mozilla\Extensions

[2010.03.29 01:27:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\extensions

[2010.03.17 00:02:04 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\extensions\de-DE@dictionaries.addons.mozilla.org

[2010.03.29 01:27:37 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions

[2008.09.04 02:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npbittorrent.dll

[2010.02.01 15:56:02 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml

[2010.02.01 15:56:02 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml

[2010.02.01 15:56:02 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml

[2010.02.01 15:56:02 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml

[2010.02.01 15:56:02 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

 

O1 HOSTS File: ([2001.08.23 14:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1       localhost

O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe ARM] C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Ai Nap] C:\Programme\ASUS\AI Suite\AiNap\AiNap.exe ()

O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [Cpu Level Up help] C:\Programme\ASUS\AI Suite\CpuLevelUpHelp.exe ()

O4 - HKLM..\Run: [CPU Power Monitor] C:\Programme\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe ()

O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de)

O4 - HKLM..\Run: [KernelFaultCheck]  File not found

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()

O4 - HKLM..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)

O4 - HKCU..\Run: [BitTorrent DNA] C:\Programme\DNA\btdna.exe (BitTorrent, Inc.)

O4 - HKCU..\Run: [DAEMON Tools Lite] D:\Programme\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)

O4 - HKCU..\Run: [EVEREST AutoStart] C:\Programme\Everest Ultimate Engineer Edition 4.10.1078\everest.exe (Lavalys, Inc.)

O4 - HKCU..\Run: [H/PC Connection Agent] C:\Programme\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)

O4 - HKCU..\Run: [MSMSGS] C:\Programme\Messenger\Msmsgs.exe File not found

O4 - HKCU..\Run: [PlayNC Launcher]  File not found

O4 - Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Programme\SUPERAntiSpyware\SASWINLO.dll - C:\Programme\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home

O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Programme\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007.10.31 20:00:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{b3c4ecc3-30ee-11df-aec9-001d60aadb15}\Shell\AutoRun\command - "" = WMPLAYER.EXE

O34 - HKLM BootExecute: (autocheck autochk *) -  File not found

O34 - HKLM BootExecute: (pgdfgsvc C 1) - C:\WINDOWS\System32\pgdfgsvc.exe (Sysinternals - www.sysinternals.com)

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 

NetSvcs: Ias - C:\WINDOWS\system32\ias [2007.10.31 20:45:45 | 000,000,000 | ---D | M]

NetSvcs: Iprip -  File not found

NetSvcs: Irmon -  File not found

NetSvcs: NWCWorkstation -  File not found

NetSvcs: Nwsapagent -  File not found

NetSvcs: WmdmPmSp -  File not found

 

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16891891626803200)

 
 ========== Files/Folders - Created Within 14 Days ==========

 

[2010.03.29 18:41:58 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Anwendungsdaten\PCHealth

[2010.03.29 18:13:45 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\Kai\IETldCache

[2010.03.29 18:07:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates

[2010.03.29 17:50:53 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8

[2010.03.29 17:44:24 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Windows Genuine Advantage

[2010.03.29 17:42:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall

[2010.03.29 17:37:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution

[2010.03.29 00:27:40 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SUPERAntiSpyware.com

[2010.03.29 00:27:28 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\SUPERAntiSpyware.com

[2010.03.29 00:27:28 | 000,000,000 | ---D | C] -- C:\Programme\SUPERAntiSpyware

[2010.03.29 00:03:40 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Malwarebytes

[2010.03.29 00:03:33 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010.03.29 00:03:31 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010.03.29 00:03:31 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware

[2010.03.29 00:03:31 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes

[2010.03.16 13:32:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss

[2010.03.16 13:27:58 | 000,000,000 | ---D | C] -- C:\Programme\avmwlanstick

[2010.03.16 13:27:51 | 000,004,352 | ---- | C] (AVM Berlin) -- C:\WINDOWS\System32\drivers\avmeject.sys

[2010.03.16 13:27:16 | 000,401,920 | ---- | C] (AVM GmbH) -- C:\WINDOWS\System32\drivers\fwlanusbn.sys

[2010.03.16 13:27:16 | 000,077,824 | ---- | C] (AVM Berlin) -- C:\WINDOWS\System32\fwusbnci.dll

[2010.03.16 13:27:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\AVM_Driver

[2010.03.16 13:27:16 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Kai\AVM_Driver

[2010.03.16 13:26:09 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\U3

[2009.08.28 22:16:52 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Adobe

[2009.08.03 01:09:09 | 000,047,360 | ---- | C] (VSO Software) -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\pcouffin.sys

[2009.07.09 20:15:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft

[2008.05.11 15:35:57 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Microsoft

[2007.10.31 20:04:10 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft

[2007.10.31 20:00:48 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Microsoft

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

 
 ========== Files - Modified Within 14 Days ==========

 

[2010.03.30 01:14:08 | 000,175,169 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml

[2010.03.30 01:13:58 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010.03.30 01:13:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010.03.29 21:21:12 | 005,242,880 | -H-- | M] () -- C:\Dokumente und Einstellungen\Kai\NTUSER.DAT

[2010.03.29 21:21:12 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\Kai\ntuser.ini

[2010.03.29 19:57:07 | 000,000,020 | ---- | M] () -- C:\Dokumente und Einstellungen\Kai\Eigene Dateien\aionmemo_5ab4bb9f.dat

[2010.03.29 18:37:29 | 000,118,952 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010.03.29 18:32:31 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010.03.29 17:45:35 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010.03.29 17:44:11 | 000,013,824 | ---- | M] () -- C:\Dokumente und Einstellungen\Kai\Desktop\RemoveWGA12.exe

[2010.03.29 02:48:22 | 000,010,089 | ---- | M] () -- C:\Dokumente und Einstellungen\Kai\Desktop\acc.rtf

[2010.03.29 02:32:10 | 000,000,139 | ---- | M] () -- C:\Dokumente und Einstellungen\Kai\Desktop\VirusTotal - Kostenloser online Viren- und Malwarescanner - Ergebnis.URL

[2010.03.29 00:27:35 | 000,000,758 | ---- | M] () -- C:\Dokumente und Einstellungen\Kai\Desktop\SUPERAntiSpyware Free Edition.lnk

[2010.03.29 00:03:39 | 000,000,682 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010.03.28 22:52:01 | 000,062,164 | ---- | M] () -- C:\Dokumente und Einstellungen\Kai\Desktop\checkmytrip.com - your trav....pdf

[2010.03.28 01:38:02 | 000,000,020 | ---- | M] () -- C:\Dokumente und Einstellungen\Kai\Eigene Dateien\aionmemo_38c87954.dat

[2010.03.23 18:50:13 | 001,049,932 | ---- | M] () -- C:\Dokumente und Einstellungen\Kai\Desktop\17_6.jpg

[2010.03.22 18:32:17 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010.03.16 13:44:59 | 000,000,528 | ---- | M] () -- C:\WINDOWS\win.ini

[2010.03.16 13:44:59 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010.03.16 13:44:59 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

 
 ========== Files Created - No Company Name ==========

 

[2010.03.29 17:44:55 | 000,013,824 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Desktop\RemoveWGA12.exe

[2010.03.29 02:32:10 | 000,000,139 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Desktop\VirusTotal - Kostenloser online Viren- und Malwarescanner - Ergebnis.URL

[2010.03.29 00:27:35 | 000,000,758 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Desktop\SUPERAntiSpyware Free Edition.lnk

[2010.03.29 00:03:39 | 000,000,682 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010.03.28 22:52:01 | 000,062,164 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Desktop\checkmytrip.com - your trav....pdf

[2010.03.23 18:50:13 | 001,049,932 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Desktop\17_6.jpg

[2010.03.16 13:27:20 | 000,012,598 | ---- | C] () -- C:\WINDOWS\instwcli.inf

[2010.03.16 13:27:16 | 000,015,573 | ---- | C] () -- C:\WINDOWS\System32\drivers\fwlanusbn.bin

[2010.03.11 16:31:26 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\drivers\SSHDRV65.sys

[2009.11.26 15:45:10 | 000,001,769 | ---- | C] () -- C:\WINDOWS\Language_trs.ini

[2009.11.26 13:19:55 | 000,004,940 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\mtbjfghn.xbe

[2009.08.03 01:09:23 | 000,001,176 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\vso_ts_preview.xml

[2009.08.03 01:09:13 | 000,000,034 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\pcouffin.log

[2009.08.03 01:09:09 | 000,087,608 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\inst.exe

[2009.08.03 01:09:09 | 000,007,887 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\pcouffin.cat

[2009.08.03 01:09:09 | 000,001,144 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\pcouffin.inf

[2009.07.24 12:19:32 | 000,281,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys

[2009.07.24 12:19:31 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys

[2009.06.15 23:09:21 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2009.03.18 23:35:09 | 000,000,392 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI

[2008.12.10 04:08:45 | 000,002,528 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\$_hpcst$.hpc

[2008.10.26 23:44:26 | 000,022,328 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\PnkBstrK.sys

[2008.10.14 03:13:12 | 000,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys

[2008.10.07 09:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll

[2008.10.07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll

[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll

[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll

[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll

[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll

[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll

[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll

[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll

[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll

[2007.10.31 22:19:09 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2007.10.31 22:19:08 | 000,034,304 | ---- | C] () -- C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007.10.31 21:14:22 | 000,000,305 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\addr_file.html

[2007.10.31 20:42:56 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2007.10.31 20:38:59 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2007.10.31 20:38:59 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2007.10.31 20:38:58 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2007.10.31 20:36:23 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll

[2007.10.31 20:32:37 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll

[2007.10.31 20:32:37 | 000,012,664 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys

[2007.10.31 20:32:35 | 000,012,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys

[2007.10.31 20:32:35 | 000,010,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys

[2007.10.31 20:27:22 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys

[2007.10.31 20:27:20 | 000,031,199 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2007.10.31 20:27:12 | 000,012,536 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2007.10.31 20:16:11 | 000,064,200 | ---- | C] () -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat

[2007.06.29 01:43:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll

[2007.06.29 01:43:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll

[2007.06.29 01:43:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll

[2007.06.29 01:43:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll

[2007.06.29 01:43:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll

 
 ========== LOP Check ==========

 

[2009.06.15 19:49:24 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\DAEMON Tools Lite

[2008.05.23 23:59:17 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Funcom

[2009.07.24 12:21:01 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Tages

[2009.08.03 02:09:40 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\vsosdk

[2008.10.15 15:03:48 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Acreon

[2009.08.03 01:27:31 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Ashampoo

[2010.02.05 19:06:21 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\BitTorrent

[2009.06.15 19:50:08 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\DAEMON Tools

[2009.06.15 19:50:08 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\DAEMON Tools Lite

[2009.09.03 18:13:10 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\DAEMON Tools Pro

[2010.03.30 01:14:09 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\DNA

[2008.09.22 20:18:10 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\eMule

[2009.12.26 15:54:34 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Mumble

[2008.04.01 01:24:31 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\T-DSL SpeedManager

[2007.10.31 20:31:37 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\TMP

[2010.01.02 00:35:31 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\TS3Client

[2009.07.24 12:23:55 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Ubisoft

[2009.09.04 14:30:25 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Vso

 
 ========== Purity Check ==========

 

 

 
 ========== Custom Scans ==========

 

 
 < %SYSTEMDRIVE%\*.exe >

 

 
 < MD5 for: AGP440.SYS  >

[2004.08.04 01:10:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2008.04.14 08:03:54 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

[2008.04.14 08:03:54 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

[2008.04.14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008.04.14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

 
 < MD5 for: ATAPI.SYS  >

[2004.08.04 01:10:00 | 018,782,319 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2008.04.14 08:03:54 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys

[2008.04.14 08:03:54 | 020,108,202 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

[2004.08.03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

[2004.08.03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

[2004.08.03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

 
 < MD5 for: EVENTLOG.DLL  >

[2008.04.14 07:52:12 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008.04.14 07:52:12 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=04955AA695448C181B367D964AF158AA -- C:\WINDOWS\system32\eventlog.dll

[2004.08.04 00:57:20 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=B932C077D5A65B71B4512544AC404CB4 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

 
 < MD5 for: NETLOGON.DLL  >

[2008.04.14 07:52:20 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008.04.14 07:52:20 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=0098D35F91DEAB9C127360A877F2CF84 -- C:\WINDOWS\system32\netlogon.dll

[2004.08.04 00:57:32 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=D27395EDCD3416AFD125A9370DCB585C -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

 
 < MD5 for: SCECLI.DLL  >

[2008.04.14 07:52:24 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008.04.14 07:52:24 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=5132443DF6FC3771A17AB4AE55DCBC28 -- C:\WINDOWS\system32\scecli.dll

[2004.08.04 00:57:34 | 000,186,880 | ---- | M] (Microsoft Corporation) MD5=64DC26B3CF7BCCAD431CE360A4C625D5 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

 
 < %systemroot%\*. /mp /s >

 
 < %systemroot%\system32\*.dll /lockedfiles >

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

 
 < %systemroot%\Tasks\*.job /lockedfiles >

 
 < %systemroot%\system32\drivers\*.sys /lockedfiles >

[2009.06.15 19:45:34 | 000,721,904 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

 
 < %systemroot%\System32\config\*.sav  >

[2007.10.31 20:50:12 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

[2007.10.31 20:50:12 | 000,663,552 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

[2007.10.31 20:50:12 | 000,458,752 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< End of report >

Extras:

Code:

OTL Extras logfile created on: 30.03.2010 01:20:08 - Run 1

OTL by OldTimer - Version 3.1.37.3     Folder = D:\Downloads

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

 

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 80,00% Memory free

4,00 Gb Paging File | 4,00 Gb Available in Paging File | 92,00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme

Drive C: | 39,06 Gb Total Space | 20,96 Gb Free Space | 53,65% Space Free | Partition Type: NTFS

Drive D: | 333,55 Gb Total Space | 133,85 Gb Free Space | 40,13% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

 

Computer Name: KAIS

Current User Name: Kai

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

 
 ========== Extra Registry (SafeList) ==========

 

 
 ========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)

 
 ========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Programme\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)

http [open] -- "C:\Programme\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

https [open] -- "C:\Programme\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [Winamp.Bookmark] -- "C:\Programme\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)

Directory [Winamp.Enqueue] -- "C:\Programme\Winamp\winamp.exe" /ADD "%1" (Nullsoft)

Directory [Winamp.Play] -- "C:\Programme\Winamp\winamp.exe" "%1" (Nullsoft)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

 
 ========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 1

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724

"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

 
 ========== Authorized Applications List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Programme\Microsoft ActiveSync\rapimgr.exe" = C:\Programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)

"C:\Programme\Microsoft ActiveSync\wcescomm.exe" = C:\Programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)

"C:\Programme\Microsoft ActiveSync\WCESMgr.exe" = C:\Programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"D:\Sicherung D\SPIELE\CS Source\Steam.exe" = D:\Sicherung D\SPIELE\CS Source\Steam.exe:*:Enabled:Steam -- File not found

"D:\Sicherung D\Emule\emule.exe" = D:\Sicherung D\Emule\emule.exe:*:Enabled:eMule -- File not found

"D:\Trillian\trillian.exe" = D:\Trillian\trillian.exe:*:Enabled:Trillian -- (Cerulean Studios)

"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)

"D:\Emule\emule.exe" = D:\Emule\emule.exe:*:Enabled:eMule -- (hxxp://www.emule-project.net)

"D:\SPIELE\WOW\World of Warcraft\WoW-2.3.3.7799-to-2.4.0.8089-deDE-downloader.exe" = D:\SPIELE\WOW\World of Warcraft\WoW-2.3.3.7799-to-2.4.0.8089-deDE-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)

"D:\SPIELE\CS Source\SteamApps\horis01\counter-strike source\hl2.exe" = D:\SPIELE\CS Source\SteamApps\horis01\counter-strike source\hl2.exe:*:Enabled:hl2 -- ()

"C:\Programme\VideoLAN\VLC\vlc.exe" = C:\Programme\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()

"C:\Programme\DNA\btdna.exe" = C:\Programme\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)

"D:\Programme\BitTorrent\bittorrent.exe" = D:\Programme\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)

"D:\Programme\Curse\CurseClient.exe" = D:\Programme\Curse\CurseClient.exe:*:Enabled:Curse Client -- File not found

"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA -- File not found

"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB -- File not found

"C:\Programme\Microsoft ActiveSync\rapimgr.exe" = C:\Programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)

"C:\Programme\Microsoft ActiveSync\wcescomm.exe" = C:\Programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)

"C:\Programme\Microsoft ActiveSync\WCESMgr.exe" = C:\Programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

"C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Temp\Blizzard Launcher Temporary - 0c0bf048\Launcher.exe" = C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Temp\Blizzard Launcher Temporary - 0c0bf048\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found

"C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Temp\Blizzard Launcher Temporary - 0e03f3a0\Launcher.exe" = C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Temp\Blizzard Launcher Temporary - 0e03f3a0\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found

"D:\WoW Test\World of Warcraft Public Test\WoW-0.1.0-deDE-downloader.exe" = D:\WoW Test\World of Warcraft Public Test\WoW-0.1.0-deDE-downloader.exe:*:Enabled:Blizzard Downloader -- File not found

"D:\WoW Test\World of Warcraft Public Test\Launcher.exe" = D:\WoW Test\World of Warcraft Public Test\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found

"D:\SPIELE\WOW\World of Warcraft\Launcher.exe" = D:\SPIELE\WOW\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)

"C:\Programme\Java\jre6\launch4j-tmp\JDownloader.exe" = C:\Programme\Java\jre6\launch4j-tmp\JDownloader.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)

"C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)

"C:\Programme\Java\jre6\bin\javaw.exe" = C:\Programme\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)

"C:\Programme\Java\jre6\bin\java.exe" = C:\Programme\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)

"D:\SPIELE\Anno1404\tools\Anno4Web.exe" = D:\SPIELE\Anno1404\tools\Anno4Web.exe:*:Disabled:Anno4Web -- ()

"D:\SPIELE\WOW\World of Warcraft\BackgroundDownloader.exe" = D:\SPIELE\WOW\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)

"D:\SPIELE\WOW\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-deDE-downloader.exe" = D:\SPIELE\WOW\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-deDE-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)

"D:\SPIELE\WOW\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-deDE-downloader.exe" = D:\SPIELE\WOW\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-deDE-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)

"D:\SPIELE\WOW\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-deDE-downloader.exe" = D:\SPIELE\WOW\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-deDE-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)

"D:\SPIELE\WOW\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-deDE-downloader.exe" = D:\SPIELE\WOW\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-deDE-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)

 

 
 ========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0513EE35-E0FB-4166-B663-BD1AE3A803DE}" = Anno 1404

"{0E2B767B-EA6A-489B-BF83-8083FE1DB661}" = Pcsx2 0.9.6

"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0

"{1A9C3B2E-360E-4353-8E17-312342E24194}" = Speed-Link SL-6535 USB Pad

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 18

"{310BC5E2-31AF-49BB-904D-E71EB93645DC}" = AI Suite

"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7

"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3D9CF3CA-3AB0-4A82-9853-D7C43FD1D775}" = ANNO 1404

"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation

"{498A4E3D-562E-4129-8722-6DCAB12384AE}" = Windows Communication Foundation Language Pack - DEU

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{5DB65884-C963-4454-AABA-4CA3089281FA}" = NVIDIA PhysX

"{65539616-9067-41FB-8C04-423897569876}" = Aion

"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0

"{7228FD8C-3B9E-4204-AE36-8A466107685B}" = Windows Workflow Foundation DE Language Pack

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{76C24F39-B161-498F-BD8B-C64789812D13}_is1" = ConvertXtoDVD 3.7.2.188

"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation

"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP

"{8937FCB2-2FC6-4FC3-9FB5-DE2C92DB9C38}" = Microsoft .NET Framework 2.0 Language Pack - DEU

"{90110407-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional

"{92DF2F1B-F63C-4D9A-B3E1-B2D11AE29790}" = Windows Presentation Foundation Language Pack (DEU)

"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{AC76BA86-7AD7-1031-7B44-A82000000003}" = Adobe Reader 8.2.0 - Deutsch

"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation

"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver

"{C9FB868B-2086-4EE2-BD4F-BFBA36B131F4}" = NCsoft Launcher

"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition

"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware

"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX

"{F2A7F421-1679-48D5-B918-96999014ED53}" = Microsoft .NET Framework 3.0 German Language Pack

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"AFPL Ghostscript 8.54" = AFPL Ghostscript 8.54

"AFPL Ghostscript Fonts" = AFPL Ghostscript Fonts

"Ashampoo Burning Studio 2009 Advanced_is1" = Ashampoo Burning Studio 2009 Advanced

"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus

"AVMWLANCLI" = AVM FRITZ!WLAN

"EAX(tm) Unified (SHELL)" = EAX(tm) Unified (SHELL)

"eMule" = eMule

"FINAL FANTASY VIII" = FINAL FANTASY VIII

"FreePDF_XP" = FreePDF XP (Remove only)

"HijackThis" = HijackThis 2.0.2

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ie8" = Windows Internet Explorer 8

"KLiteCodecPack_is1" = K-Lite Codec Pack 3.1.0 Full

"Magic ISO Maker v5.5 (build 0272)" = Magic ISO Maker v5.5 (build 0272)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0

"Microsoft .NET Framework 2.0 Language Pack - DEU" = Microsoft .NET Framework 2.0 Language Pack - DEU

"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0

"Microsoft .NET Framework 3.0 German Language Pack" = Microsoft .NET Framework 3.0 German Language Pack

"Mozilla Firefox (3.6.2pre)" = Mozilla Firefox (3.6.2pre)

"Mumble" = Mumble and Murmur

"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition

"NeroVision!UninstallKey" = NeroVision Express 3

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NVIDIA Drivers" = NVIDIA Drivers

"Redirection Port Monitor" = RedMon - Redirection Port Monitor

"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2

"TeamSpeak 3 Client" = TeamSpeak 3 Client

"VLC media player" = VideoLAN VLC media player 0.8.6c

"WebEradicator" = WebEradicator

"WIC" = Windows Imaging Component

"Winamp" = Winamp (remove only)

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows Mobile Device Handbook" = Windows Mobile-Ressourcen

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinRAR archiver" = WinRAR Archivierer

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"World of Warcraft" = World of Warcraft

"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

 
 ========== HKEY_CURRENT_USER Uninstall List ==========

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"727d1ea1876aa06e" = WowAceUpdater

"BitTorrent" = BitTorrent

"BitTorrent DNA" = DNA

 
 ========== Last 10 Event Log Errors ==========

 

[ Application Events ]

Error - 23.02.2010 13:30:35 | Computer Name = KAIS | Source = Application Error | ID = 1000

Description = Fehlgeschlagene Anwendung ff8.exe, Version 0.0.0.0, fehlgeschlagenes

 Modul ff8.exe, Version 0.0.0.0, Fehleradresse 0x0016121b.

 

Error - 25.02.2010 17:32:33 | Computer Name = KAIS | Source = Application Error | ID = 1000

Description = Fehlgeschlagene Anwendung ff8.exe, Version 0.0.0.0, fehlgeschlagenes

 Modul ff8.exe, Version 0.0.0.0, Fehleradresse 0x0016121b.

 

Error - 26.02.2010 10:06:12 | Computer Name = KAIS | Source = Application Error | ID = 1000

Description = Fehlgeschlagene Anwendung javaw.exe, Version 6.0.180.7, fehlgeschlagenes

 Modul java.dll, Version 6.0.180.7, Fehleradresse 0x00005875.

 

Error - 26.02.2010 16:55:21 | Computer Name = KAIS | Source = Application Error | ID = 1000

Description = Fehlgeschlagene Anwendung ff8.exe, Version 0.0.0.0, fehlgeschlagenes

 Modul ff8.exe, Version 0.0.0.0, Fehleradresse 0x0016121b.

 

Error - 26.02.2010 19:46:31 | Computer Name = KAIS | Source = Application Error | ID = 1000

Description = Fehlgeschlagene Anwendung ff8.exe, Version 0.0.0.0, fehlgeschlagenes

 Modul ff8.exe, Version 0.0.0.0, Fehleradresse 0x0016121b.

 

Error - 27.02.2010 18:19:07 | Computer Name = KAIS | Source = Application Error | ID = 1000

Description = Fehlgeschlagene Anwendung ff8.exe, Version 0.0.0.0, fehlgeschlagenes

 Modul ff8.exe, Version 0.0.0.0, Fehleradresse 0x0016121b.

 

Error - 28.02.2010 14:15:07 | Computer Name = KAIS | Source = Application Error | ID = 1000

Description = Fehlgeschlagene Anwendung ff8.exe, Version 0.0.0.0, fehlgeschlagenes

 Modul ff8.exe, Version 0.0.0.0, Fehleradresse 0x0016121b.

 

Error - 29.03.2010 12:28:04 | Computer Name = KAIS | Source = NativeWrapper | ID = 5000

Description = 

 

Error - 29.03.2010 12:28:07 | Computer Name = KAIS | Source = HotFixInstaller | ID = 5000

Description = EventType visualstudio8setup, P1 microsoft .net framework 2.0-kb953300,

 P2 1031, P3 1605, P4 msi, P5 f, P6 9.0.40302.0, P7 install, P8 x86, P9 xp, P10 

0.

 

Error - 29.03.2010 12:28:11 | Computer Name = KAIS | Source = HotFixInstaller | ID = 5000

Description = EventType visualstudio8setup, P1 microsoft .net framework 2.0-kb974417,

 P2 1031, P3 1605, P4 msi, P5 f, P6 9.0.40302.0, P7 install, P8 x86, P9 xp, P10 

0.

 

[ System Events ]

Error - 26.03.2010 06:04:30 | Computer Name = KAIS | Source = Service Control Manager | ID = 7011

Description = Zeitüberschreitung (30000 ms) beim Warten auf eine Transaktionsrückmeldung

 von Dienst NVSvc.

 

Error - 26.03.2010 18:33:30 | Computer Name = KAIS | Source = Service Control Manager | ID = 7011

Description = Zeitüberschreitung (30000 ms) beim Warten auf eine Transaktionsrückmeldung

 von Dienst NVSvc.

 

Error - 27.03.2010 06:26:52 | Computer Name = KAIS | Source = Service Control Manager | ID = 7011

Description = Zeitüberschreitung (30000 ms) beim Warten auf eine Transaktionsrückmeldung

 von Dienst NVSvc.

 

Error - 28.03.2010 18:15:03 | Computer Name = KAIS | Source = sr | ID = 1

Description = Beim Verarbeiten der Datei "" auf Volume "HarddiskVolume1" ist im 

Wiederherstellungsfilter der unerwartete Fehler "0xC0000001" aufgetreten. Die Volumeüberwachung

 wurde angehalten.

 

Error - 28.03.2010 18:16:08 | Computer Name = KAIS | Source = Service Control Manager | ID = 7011

Description = Zeitüberschreitung (30000 ms) beim Warten auf eine Transaktionsrückmeldung

 von Dienst NVSvc.

 

Error - 28.03.2010 20:55:48 | Computer Name = KAIS | Source = Service Control Manager | ID = 7011

Description = Zeitüberschreitung (30000 ms) beim Warten auf eine Transaktionsrückmeldung

 von Dienst NVSvc.

 

Error - 29.03.2010 12:39:00 | Computer Name = KAIS | Source = Service Control Manager | ID = 7011

Description = Zeitüberschreitung (30000 ms) beim Warten auf eine Transaktionsrückmeldung

 von Dienst NVSvc.

 

Error - 29.03.2010 14:51:59 | Computer Name = KAIS | Source = Service Control Manager | ID = 7011

Description = Zeitüberschreitung (30000 ms) beim Warten auf eine Transaktionsrückmeldung

 von Dienst NVSvc.

 

Error - 29.03.2010 18:15:03 | Computer Name = KAIS | Source = Service Control Manager | ID = 7011

Description = Zeitüberschreitung (30000 ms) beim Warten auf eine Transaktionsrückmeldung

 von Dienst NVSvc.

 

Error - 29.03.2010 19:15:10 | Computer Name = KAIS | Source = Service Control Manager | ID = 7011

Description = Zeitüberschreitung (30000 ms) beim Warten auf eine Transaktionsrückmeldung

 von Dienst NVSvc.

 

 

< End of report >

Nichts zu entdecken soweit.

1. Starte OTL.
Kopiere unten in das Skript-Feld rein:

Zitat:

:OTL
O4 - HKCU..\Run: [MSMSGS] C:\Programme\Messenger\Msmsgs.exe File not found
O4 - HKCU..\Run: [PlayNC Launcher] File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)

:Commands
[emptytemp]

Klicke auf Run Fix.
Neustart zulassen, wenn gefragt.

2. Hol dir AVZ
Entpacke und starte AVZ.
Führe einen Update durch (Button auf der rechten Seite unten ("Database Update") - dann auf Start).
Nach dem Update:
Setze oben links ein Häkchen beim Laufwerk C:
Wechesle zu "File Types" und wähle All Files.
Wechsele zu "Search Parameters", setze zusätzlich ein Häkchen bei
Block User-Mode Rootkits und
Block Kernel-Mode Rootkits

Schließe alle anderen Programme.
Klicke auf Start, der Scan wird eine Weile in Anspruch nehmen.
Speichere nach dem Scan das Log mit dem Button unten rechts "Save Log" und poste es.

Ähm...ich häng mich mal kurz rein und wollte mal sagen, das es sich bei diesem HotKeyhook.dll doch vieleicht um einen Keylogger handelt.

Auf jedenfall ist das ein Teil eines Programms, das Tastaturanschläge verfolgt, wie es zum beispiel bei Trainern vorkommt...z.b. F1 oder sowas!

Deswegen könnte vieleicht auch der Acc gehackt worden sein...

Aber nun weiter zu dem User, der dir da hilft...

Zitat:

Jo.. wurde ja von Malwarebytes gekillt. Ein Trojaner kommt halt selten allein, wär schon nicht schlecht, da genauer hinzuschauen. :)

@ BIOTEC

Zitat:

Es war ein Keylogger. Die Auswertung bei Virustotal, die ich leider nicht mehr habe, sagte bei 20/42 positiv. Einer benannte die Datei mit Win32.Banker. Bei anderen hieß er eben anders, aber anderer Name gleicher Mist. Wie gesagt Malwarebytes hat ihn gefunden und gelöscht.

So hier das Log von AVZ:

Code:

AVZ Antiviral Toolkit log; AVZ version is 4.32

Scanning started at 30.03.2010 14:30:12

Database loaded: signatures - 268960, NN profile(s) - 2, malware removal microprograms - 56, signature database released 28.03.2010 23:44

Heuristic microprograms loaded: 381

PVS microprograms loaded: 9

Digital signatures of system files loaded: 190711

Heuristic analyzer mode: Medium heuristics mode

Malware removal mode: disabled

Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights

System Restore: enabled

1. Searching for Rootkits and other software intercepting API functions

1.1 Searching for user-mode API hooks

 Analysis: kernel32.dll, export table found in section .text

 Analysis: ntdll.dll, export table found in section .text

 Analysis: user32.dll, export table found in section .text

 Analysis: advapi32.dll, export table found in section .text

 Analysis: ws2_32.dll, export table found in section .text

 Analysis: wininet.dll, export table found in section .text

 Analysis: rasapi32.dll, export table found in section .text

 Analysis: urlmon.dll, export table found in section .text

 Analysis: netapi32.dll, export table found in section .text

 >> Danger ! Process masking detected

1.2 Searching for kernel-mode API hooks

 Driver loaded successfully

 SDT found (RVA=085700)

 Kernel ntkrnlpa.exe found in memory at address 804D7000

   SDT = 8055C700

   KiST = 8050446C (284)

Function NtCreateKey (29) intercepted (806237B6->BAEB0306), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Function NtCreateThread (35) intercepted (805D0FE2->BAEB02FC), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Function NtDeleteKey (3F) intercepted (80623C46->BAEB030B), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Function NtDeleteValueKey (41) intercepted (80623E16->BAEB0315), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Function NtEnumerateKey (47) intercepted (80623FF6->BA6C5CA4), hook spbv.sys

>>> Function restored successfully !

>>> Hook code blocked

Function NtEnumerateValueKey (49) intercepted (80624260->BA6C6032), hook spbv.sys

>>> Function restored successfully !

>>> Hook code blocked

Function NtLoadKey (62) intercepted (806259B2->BAEB031A), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Function NtOpenKey (77) intercepted (80624B88->BA6A70C0), hook spbv.sys

>>> Function restored successfully !

>>> Hook code blocked

Function NtOpenProcess (7A) intercepted (805CB40A->BAEB02E8), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Function NtOpenThread (80) intercepted (805CB696->BAEB02ED), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Function NtQueryKey (A0) intercepted (80624EAE->BA6C610A), hook spbv.sys

>>> Function restored successfully !

>>> Hook code blocked

Function NtQueryValueKey (B1) intercepted (806219EE->BA6C5F8A), hook spbv.sys

>>> Function restored successfully !

>>> Hook code blocked

Function NtReplaceKey (C1) intercepted (80625862->BAEB0324), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Function NtRestoreKey (CC) intercepted (8062516E->BAEB031F), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Function NtSetValueKey (F7) intercepted (80621D3C->BAEB0310), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Function NtTerminateProcess (101) intercepted (805D29AC->BAEB02F7), hook not defined

>>> Function restored successfully !

>>> Hook code blocked

Functions checked: 284, intercepted: 16, restored: 16

1.3 Checking IDT and SYSENTER

 Analyzing CPU 1

 Analyzing CPU 2

CmpCallCallBacks = 00093D84

Disable callback OK

 Checking IDT and SYSENTER - complete

1.4 Searching for masking processes and drivers

 Checking not performed: extended monitoring driver (AVZPM) is not installed

 Driver loaded successfully

1.5 Checking IRP handlers

\FileSystem\ntfs[IRP_MJ_CREATE] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_CLOSE] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_WRITE] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_SET_EA] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8A5E21F8 -> hook not defined

\FileSystem\ntfs[IRP_MJ_PNP] = 8A5E21F8 -> hook not defined

 Checking - complete

2. Scanning RAM

 Number of processes found: 42

 Number of modules loaded: 372

Scanning RAM - complete

3. Scanning disks

Direct reading: C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\cert8.db

Direct reading: C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\content-prefs.sqlite

Direct reading: C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\downloads.sqlite

Direct reading: C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\formhistory.sqlite

Direct reading: C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\key3.db

Direct reading: C:\Dokumente und Einstellungen\Kai\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\places.sqlite

Direct reading: C:\Dokumente und Einstellungen\Kai\Cookies\index.dat

Direct reading: C:\Dokumente und Einstellungen\Kai\IETldCache\index.dat

Direct reading: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Anwendungsdaten\Microsoft\CardSpace\CardSpace.db

Direct reading: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat

Direct reading: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\Cache\_CACHE_001_

Direct reading: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\Cache\_CACHE_002_

Direct reading: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\Cache\_CACHE_003_

Direct reading: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\2npbh9zo.default\urlclassifier3.sqlite

Direct reading: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Temp\~DFA217.tmp

Direct reading: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat

Direct reading: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Verlauf\History.IE5\index.dat

Direct reading: C:\Dokumente und Einstellungen\Kai\Lokale Einstellungen\Verlauf\History.IE5\MSHist012010033020100331\index.dat

Direct reading: C:\Dokumente und Einstellungen\Kai\NTUSER.DAT

Direct reading: C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat

Direct reading: C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat

Direct reading: C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat

Direct reading: C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat

Direct reading: C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT

Direct reading: C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat

Direct reading: C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT

Direct reading: C:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171\change.log

Direct reading: C:\WINDOWS\SchedLgU.Txt

Direct reading: C:\WINDOWS\SoftwareDistribution\ReportingEvents.log

Direct reading: C:\WINDOWS\system32\CatRoot2\edb.log

Direct reading: C:\WINDOWS\system32\CatRoot2\tmp.edb

Direct reading: C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb

Direct reading: C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

Direct reading: C:\WINDOWS\system32\config\AppEvent.Evt

Direct reading: C:\WINDOWS\system32\config\default

Direct reading: C:\WINDOWS\system32\config\Internet.evt

Direct reading: C:\WINDOWS\system32\config\SAM

Direct reading: C:\WINDOWS\system32\config\SecEvent.Evt

Direct reading: C:\WINDOWS\system32\config\SECURITY

Direct reading: C:\WINDOWS\system32\config\SysEvent.Evt

Direct reading: C:\WINDOWS\system32\config\system

Direct reading: C:\WINDOWS\system32\drivers\sptd.sys

Direct reading: C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR

Direct reading: C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP

Direct reading: C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP

Direct reading: C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

Direct reading: C:\WINDOWS\Temp\Perflib_Perfdata_b4.dat

Direct reading: C:\WINDOWS\WindowsUpdate.log

4. Checking  Winsock Layered Service Provider (SPI/LSP)

 LSP settings checked. No errors detected

5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)

6. Searching for opened TCP/UDP ports used by malicious software

 Checking - disabled by user

7. Heuristic system check

Checking - complete

8. Searching for vulnerabilities

>> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung)

>> Services: potentially dangerous service allowed: TermService (Terminaldienste)

>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)

>> Services: potentially dangerous service allowed: Schedule (Taskplaner)

>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)

>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

Checking - complete

9. Troubleshooting wizard

 >>  HDD autorun is allowed

 >>  Network drives autorun is allowed

 >>  Removable media autorun is allowed

Checking - complete

Files scanned: 164450, extracted from archives: 118919, malicious software found 0, suspicions - 0

Scanning finished at 30.03.2010 14:46:25

!!! Attention !!! Restored 16 KiST functions during Anti-Rootkit operation

This may affect execution of certain software, so it is strongly recommended to reboot

Time of scanning: 00:16:14

If you have a suspicion on presence of viruses or questions on the suspected objects,

you can address hxxp://virusinfo.info conference

Dann wollen wir jetzt mal SION dein Log auswerten lassen und ich schätze mal, das der KL jetzt zwar weg ist, aber dein Acc auch...das heisst das nächste mal viel vorsichtiger sein, was man ausführt...

Bei mir gibts nix zu holen...da haben Banker keinen Erfolg...^^

Aber nochwas....ich hatte schon mit Bankern zu tun, die biste garnicht mehr losbekommen...

Ich bin raus aus dem Thread und wünsche euch viel erfolg und dir einen immer sauberen, schnellen PC!

Gruss BIOTEC

so Superantispyware:

Code:

SUPERAntiSpyware Scan Log

hxxp://www.superantispyware.com
 

Generated 03/30/2010 at 04:44 PM
 

Application Version : 4.34.1000
 

Core Rules Database Version : 4748

Trace Rules Database Version: 2560
 

Scan type       : Complete Scan

Total Scan Time : 00:49:34
 

Memory items scanned      : 550

Memory threats detected   : 0

Registry items scanned    : 5202

Registry threats detected : 0

File items scanned        : 67461

File threats detected     : 1
 

Adware.Tracking Cookie

        C:\Dokumente und Einstellungen\Kai\Cookies\kai@microsoftwga.112.2o7[1].txt

und Dr.Web:

Code:

A0066968.exe;C:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Tool.RemoveWGA;;

fdel.exe;C:\WINDOWS;Tool.ForceDel.5;;

AddiTunes.exe;D:\A-one iPod PSP 3GP Video Converter\app;Trojan.PWS.Legmir;Gelöscht.;

QT3GPPFlatten.exe;D:\A-one iPod PSP 3GP Video Converter\app;Trojan.PWS.Legmir;Gelöscht.;

cracksearcher.exe;D:\Downloads;Tool.CrackSearch;;

RemoveWGA12.exe;D:\Downloads;Tool.RemoveWGA;;

MSD.exe;D:\MSD\MSD 0.655;Trojan.DownLoad1.12231;Gelöscht.;

linkkuzeyforum.dll;D:\MSD\MSD 0.655\Plugins\YCPlugins;Win32.HLLW.Mistri;Gelöscht.;

linkprotector.dll;D:\MSD\MSD 0.655\Plugins\YCPlugins;Win32.HLLW.Mistri;Gelöscht.;

rsprotect.dll;D:\MSD\MSD 0.655\Plugins\YCPlugins;Win32.HLLW.Mistri;Gelöscht.;

safefilecash.dll;D:\MSD\MSD 0.655\Plugins\YCPlugins;Win32.HLLW.Mistri;Gelöscht.;

safelink.dll;D:\MSD\MSD 0.655\Plugins\YCPlugins;Win32.HLLW.Mistri;Gelöscht.;

tresor.dll;D:\MSD\MSD 0.655\Plugins\YCPlugins;Win32.HLLW.Mistri;Gelöscht.;

uppicoasis.dll;D:\MSD\MSD 0.655\Plugins\YCPlugins;Win32.HLLW.Mistri;Gelöscht.;

wonsite.dll;D:\MSD\MSD 0.655\Plugins\YCPlugins;Win32.HLLW.Mistri;Gelöscht.;

xvidznet.dll;D:\MSD\MSD 0.655\Plugins\YCPlugins;Trojan.DownLoader.33828;Gelöscht.;

A0067988.exe;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Trojan.PWS.Legmir;Gelöscht.;

A0067989.exe;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Trojan.PWS.Legmir;Gelöscht.;

A0067990.exe;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Trojan.DownLoad1.12231;Gelöscht.;

A0067991.dll;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Win32.HLLW.Mistri;Gelöscht.;

A0067992.dll;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Win32.HLLW.Mistri;Gelöscht.;

A0067993.dll;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Win32.HLLW.Mistri;Gelöscht.;

A0067994.dll;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Win32.HLLW.Mistri;Gelöscht.;

A0067995.dll;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Win32.HLLW.Mistri;Gelöscht.;

A0067996.dll;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Win32.HLLW.Mistri;Gelöscht.;

A0067997.dll;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Win32.HLLW.Mistri;Gelöscht.;

A0067998.dll;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Win32.HLLW.Mistri;Gelöscht.;

A0067999.dll;D:\System Volume Information\_restore{72802088-84C5-4BBB-9BAF-9A3B8B0DB10A}\RP171;Trojan.DownLoader.33828;Gelöscht.;

Zitat:

cracksearcher.exe;D:\Downloads;Tool.CrackSearch;;
RemoveWGA12.exe;D:\Downloads;Tool.RemoveWGA;;

Cracks sowie gecrackte Windowssysteme sind illegal und werden hier nicht bereinigt. Weiter geht's mit:

http://www.trojaner-board.de/51262-a...sicherung.html

Ich bin weg.

Code:

cracksearcher.exe;D:\Downloads;Tool.CrackSearch;;

RemoveWGA12.exe;D:\Downloads;Tool.RemoveWGA;;

Das man derartiges auf dem PC hat und dies ungesund ist stelle ich nicht in Abrede. Aber ist es gleich Anlass denjenigen zu kriminalisieren. Cracksearcher wurde nie benutzt, es liegt nur als Datenmüll rum. Und Remove WGA hab ich drauf, da ich es nervend finde, diesen Nachhaustelefonierer nach jedem regulären Update neu auf dem System zu haben. Wenn man diese Datei nur auf unseriösen Seiten bekäme würde ich deine Aussage nachvollziehen können, aber derweil gibt es diese Datei auch bei größeren regulären Seiten. In diesem Falle habe ich diese bei CHIP geladen.